class OpenSSLSNI(object):
"""This class implements the functionality of obtaining certificates secure connection using
apache TLS Extension Server Name Indication (SNI)
"""
def connection(func):
def wrapped(self):
self._connect()
try:
return func(self)
finally:
self._close()
return wrapped
def __init__(self, host, port):
#Set host name
self._host = str(host).split('//')[-1].split(':')[0]
#Set port
self._port = int(port) if str(port).isdigit() else 443
def _connect(self):
"""This method implements the functionality of establishing a secure connection using TLS Extension"""
self._socket_client = socket()
self._socket_client.connect((self._host, self._port))
self._ssl_client = Connection(Context(TLSv1_METHOD), self._socket_client)
self._ssl_client.set_connect_state()
self._ssl_client.set_tlsext_host_name(self._host)
self._ssl_client.do_handshake()
def _close(self):
"""This method implements the functional termination created connection"""
self._ssl_client.close()
del self._socket_client
@property
@connection
def serial_number(self):
"""Returns certificates serial number"""
return self._ssl_client.get_peer_certificate().get_serial_number()
@property
@connection
def certificate(self):
"""Returns certificate"""
return OpenSSL.crypto.dump_certificate(FILETYPE_PEM, self._ssl_client.get_peer_certificate())
def main():
"""
Connect to an SNI-enabled server and request a specific hostname, specified by argv[1], of it.
"""
if len(argv) < 2:
print 'Usage: %s <hostname> [port]' % (argv[0], )
return 1
port = 443
if len(argv) == 3:
port = int(argv[2])
hostname = argv[1]
client = socket()
#client.settimeout(2)
#print 'Connecting...',
stdout.flush()
client.connect((hostname, port))
#print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname)
client_ssl.do_handshake()
host = client_ssl.getpeername()
servername = client_ssl.get_servername()
x509 = client_ssl.get_peer_certificate()
notAfter = datetime.strptime(x509.get_notAfter(), '%Y%m%d%H%M%SZ')
cert_chain = client_ssl.get_peer_cert_chain()
now = datetime.now()
timedelta = notAfter - now
DNS = ''
for i in xrange(x509.get_extension_count()):
ret = str(x509.get_extension(i))
if re.match('^DNS:', ret):
DNS = ret.replace('DNS:', '')
print "servername: %s, host: %s, port: %s" % (servername, host[0], host[1])
print "\tnotAfter: %s, remain: %s days" % (notAfter, timedelta.days)
print "\tDNS: ", DNS
print '\tCert Chain:'
for i, v in enumerate(cert_chain):
print '\t%s,i,%s' % (i, v.get_subject())
print '\t%s,s,%s' % (i, v.get_issuer())
client_ssl.close()
def _load_verify_locations_test(self, *args):
port = socket()
port.bind(('', 0))
port.listen(1)
client = socket()
client.setblocking(False)
client.connect_ex(port.getsockname())
clientContext = Context(TLSv1_METHOD)
clientContext.load_verify_locations(*args)
# Require that the server certificate verify properly or the
# connection will fail.
clientContext.set_verify(
VERIFY_PEER,
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
clientSSL = Connection(clientContext, client)
clientSSL.set_connect_state()
server, _ = port.accept()
server.setblocking(False)
serverContext = Context(TLSv1_METHOD)
serverContext.use_certificate(
load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
serverContext.use_privatekey(
load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
serverSSL = Connection(serverContext, server)
serverSSL.set_accept_state()
for i in range(3):
for ssl in clientSSL, serverSSL:
try:
# Without load_verify_locations above, the handshake
# will fail:
# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
# 'certificate verify failed')]
ssl.do_handshake()
except WantReadError:
pass
cert = clientSSL.get_peer_certificate()
self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
def get_certificate(hostname, port=443):
"""
Return TLS certificate (f.i. for https or smtps)
"""
client = socket()
client.connect((hostname, port))
client_ssl = Connection(Context(TLSv1_2_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname.encode("ascii")) # SNI
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate()
client_ssl.close()
return cert
def get_ssl(url):
print(Fore.RED+"[+] ssl certificate:"+Fore.GREEN)
first_try = re.findall(r":([0-9]+)", str(url))
if len(first_try) != 0:
for i in range(len(first_try)):
port = ''.join(first_try[i])
else:
port = int('443')
second_try = re.findall(r"/([0-9a-zA-Z\.%&#]+)", str(url))
if len(second_try) != 0:
for i in range(len(second_try)):
host = ''.join(second_try[i])
try:
try:
ssl_connection_setting = Context(SSLv3_METHOD)
except ValueError:
ssl_connection_setting = Context(TLSv1_2_METHOD)
ssl_connection_setting.set_timeout(5)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((host, int(port)))
c = Connection(ssl_connection_setting, s)
c.set_tlsext_host_name(str.encode(host))
c.set_connect_state()
c.do_handshake()
cert = c.get_peer_certificate()
print(Fore.RED+" --> "+Fore.GREEN+"Is Expired: ", cert.has_expired())
print(Fore.RED+" --> "+Fore.GREEN+"Issuer: ", cert.get_issuer())
subject_list = cert.get_subject().get_components()
cert_byte_arr_decoded = {}
for item in subject_list:
cert_byte_arr_decoded.update({item[0].decode('utf-8'): item[1].decode('utf-8')})
if len(cert_byte_arr_decoded) > 0:
print(Fore.RED+" --> "+Fore.GREEN+"Subject: ", cert_byte_arr_decoded)
if cert_byte_arr_decoded["CN"]:
print(Fore.RED+" --> "+Fore.GREEN+"Common Name: ", cert_byte_arr_decoded["CN"])
end_date = datetime.strptime(str(cert.get_notAfter().decode('utf-8')), "%Y%m%d%H%M%SZ")
print(Fore.RED+" --> "+Fore.GREEN+"Not After (UTC Time): ", end_date)
diff = end_date - datetime.now()
print(Fore.RED+" --> "+Fore.GREEN+'Summary: "{}" SSL certificate expires on {} i.e. {} days.'.format(host, end_date, diff.days))
c.shutdown()
s.close()
except:
print(Fore.RED+" --> "+Fore.GREEN+"Not found")
pass
def ip_ssl_connect(self, ip):
logging.basicConfig(filename=self.basedir+'/output/log/get_cert_from_ip.log', level=logging.DEBUG, format='%(asctime)s %(message)s')
try:
sslcontext = Context(TLSv1_METHOD)
sslcontext.set_timeout(30)
s = socket()
s.connect((ip, 443))
c = Connection(sslcontext, s)
c.set_connect_state()
logging.info("try to establish handshake with %s..." % ip)
c.do_handshake()
cert = c.get_peer_certificate()
logging.info("got certificate!")
c.shutdown()
s.close()
return cert
except Exception as e:
logging.info(e)
logging.info("fail to connect to port 443 with %s" % ip)
return None
def netflix_openssl_test_retry(ip):
client = socket()
print 'Connecting...',
stdout.flush()
client.connect((ip, port))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate().get_subject()
cn = [comp for comp in cert.get_components() if comp[0] in ['CN']]
client_ssl.close()
print cn
if hostname in cn[0][1]:
return True
else:
return False
def netflix_openssl_test_retry(ip):
client = socket()
print 'Connecting...',
stdout.flush()
client.connect((ip, port))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(hostname)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate().get_subject()
cn = [comp for comp in cert.get_components() if comp[0] in ['CN']]
client_ssl.close()
print cn
if hostname in cn[0][1]:
return True
else:
return False
def _validate_certificate_hostname_pyopenssl(self):
""" Use pyOpenSSL check if the host's certifcate matches the hostname.
Python < 2.7.9 is not able to provide a server hostname for SNI, so this
is a fallback that opens an additional connection if the initial
validation failed.
Returns:
bool: Whether or not the hostname is valid on the certificate.
"""
client = socket.socket()
client.connect((self.host, self.port))
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(self.host)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate()
client_ssl.close()
common_name = cert.get_subject().commonName
return self._cert_host_matches_hostname(common_name, self.host)
def _validate_certificate_hostname_pyopenssl(self):
""" Use pyOpenSSL check if the host's certifcate matches the hostname.
Python < 2.7.9 is not able to provide a server hostname for SNI, so this
is a fallback that opens an additional connection if the initial
validation failed.
Returns:
bool: Whether or not the hostname is valid on the certificate.
"""
client = socket.socket()
client.connect((self.host, self.port))
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(self.host)
client_ssl.do_handshake()
cert = client_ssl.get_peer_certificate()
client_ssl.close()
common_name = cert.get_subject().commonName
return self._cert_host_matches_hostname(common_name, self.host)
def check_cerificate_invalidtime(domain, port=443):
from datetime import datetime
from OpenSSL.SSL import TLSv1_METHOD, Context, Connection
import socket
client = socket.socket()
try:
client.connect((domain, port))
ssl = Connection(Context(TLSv1_METHOD), client)
ssl.set_connect_state()
ssl.set_tlsext_host_name(domain.encode('utf-8'))
ssl.do_handshake()
cerificate = ssl.get_peer_certificate()
invalid = cerificate.get_notAfter().decode()[0:-1]
invalidtime = datetime.strptime(invalid, '%Y%m%d%H%M%S')
diff_day = invalidtime - datetime.now()
return True, {"invaliddate": invalidtime, "invalidday": diff_day.days}
except Exception as e:
return False, e.args
finally:
client.close()
pass
def main():
"""
Connect to an SNI-enabled server and request a specific hostname, specified
by argv[1], of it.
"""
if len(argv) < 2:
print 'Usage: %s <hostname>' % (argv[0],)
return 1
client = socket()
print 'Connecting...',
stdout.flush()
client.connect(('127.0.0.1', 8443))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(argv[1])
client_ssl.do_handshake()
print 'Server subject is', client_ssl.get_peer_certificate().get_subject()
client_ssl.close()
def main():
"""
Connect to an SNI-enabled server and request a specific hostname, specified
by argv[1], of it.
"""
if len(argv) < 2:
print 'Usage: %s <hostname>' % (argv[0], )
return 1
client = socket()
print 'Connecting...',
stdout.flush()
client.connect(('127.0.0.1', 8443))
print 'connected', client.getpeername()
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(argv[1])
client_ssl.do_handshake()
print 'Server subject is', client_ssl.get_peer_certificate().get_subject()
client_ssl.close()
def _load_verify_locations_test(self, *args):
(server, client) = socket_pair()
clientContext = Context(TLSv1_METHOD)
clientContext.load_verify_locations(*args)
# Require that the server certificate verify properly or the
# connection will fail.
clientContext.set_verify(
VERIFY_PEER,
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
clientSSL = Connection(clientContext, client)
clientSSL.set_connect_state()
serverContext = Context(TLSv1_METHOD)
serverContext.use_certificate(
load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
serverContext.use_privatekey(
load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
serverSSL = Connection(serverContext, server)
serverSSL.set_accept_state()
for i in range(3):
for ssl in clientSSL, serverSSL:
try:
# Without load_verify_locations above, the handshake
# will fail:
# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
# 'certificate verify failed')]
ssl.do_handshake()
except WantReadError:
pass
cert = clientSSL.get_peer_certificate()
self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
def checkCertificate(url_base, url_rest, req_headers={}, request_type='GET'):
connection = http.client.HTTPSConnection(url_base, timeout=1)
certificate_is_valid = None
certificate_host_names = None
try:
client = socket.socket()
client.connect((url_base, 443))
client_ssl = Connection(Context(TLSv1_2_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(url_base.encode('UTF-8'))
client_ssl.do_handshake()
certificate_host_names = get_certificate_hosts(
client_ssl.get_peer_certificate())
except:
pass
finally:
if client:
client.close()
try:
connection.request(request_type, url_rest, headers=req_headers)
certificate_is_valid = True
except:
certificate_is_valid = False
return (certificate_is_valid, certificate_host_names)
msg[0]) + ' , Error message : ' + msg[1]
sys.exit()
print 'Socket Created'
host = 'www.google.com'
port = 80
try:
remote_ip = socket.gethostbyname(host)
except socket.gaierror:
#could not resolve
print 'Hostname could not be resolved. Exiting'
sys.exit()
client.connect((remote_ip, port))
print 'connected', client.getpeername()
client_ssl = Connection(Context(SSLv3_METHOD), client)
client_ssl.set_connect_state()
#client_ssl.set_tlsext_host_name(argv[1])
client_ssl.do_handshake()
print 'Server subject is', client_ssl.get_peer_certificate().get_subject()
client_ssl.close()
if __name__ == '__main__':
import client
raise SystemExit(client.main())
Create Time: 13:58
"""
from socket import socket
from OpenSSL.SSL import Connection, Context, SSLv3_METHOD
import datetime
import time
sslcontext = Context(SSLv3_METHOD)
sslcontext.set_timeout(30)
ip = 'www.baidu.com'
s = socket()
s.connect((ip, 443))
c = Connection(sslcontext, s)
c.set_connect_state()
c.do_handshake()
cert = c.get_peer_certificate()
print "Issuer: ", cert.get_issuer()
print "Subject: ", cert.get_subject().get_components()
subject_list = cert.get_subject().get_components()
print "Common Name:", dict(subject_list).get("CN")
print "notAfter(UTC time): ", cert.get_notAfter()
UTC_FORMAT = "%Y%m%d%H%M%SZ"
utc_to_local_offset = datetime.datetime.fromtimestamp(
time.time()) - datetime.datetime.utcfromtimestamp(time.time())
utc_time = time.mktime(time.strptime(cert.get_notAfter(), UTC_FORMAT))
local_time = utc_time + utc_to_local_offset.seconds
print "notAfter(Local Time): ", datetime.datetime.fromtimestamp(local_time)
print "is_expired:", cert.has_expired()
c.shutdown()
s.close()
class TLSMemoryBIOProtocol(ProtocolWrapper):
"""
L{TLSMemoryBIOProtocol} is a protocol wrapper which uses OpenSSL via a
memory BIO to encrypt bytes written to it before sending them on to the
underlying transport and decrypts bytes received from the underlying
transport before delivering them to the wrapped protocol.
In addition to producer events from the underlying transport, the need to
wait for reads before a write can proceed means the
L{TLSMemoryBIOProtocol} may also want to pause a producer. Pause/resume
events are therefore merged using the L{_ProducerMembrane}
wrapper. Non-streaming (pull) producers are supported by wrapping them
with L{_PullToPush}.
@ivar _tlsConnection: The L{OpenSSL.SSL.Connection} instance which is
encrypted and decrypting this connection.
@ivar _lostTLSConnection: A flag indicating whether connection loss has
already been dealt with (C{True}) or not (C{False}). TLS disconnection
is distinct from the underlying connection being lost.
@ivar _writeBlockedOnRead: A flag indicating whether further writing must
wait for data to be received (C{True}) or not (C{False}).
@ivar _appSendBuffer: A C{list} of C{str} of application-level (cleartext)
data which is waiting for C{_writeBlockedOnRead} to be reset to
C{False} so it can be passed to and perhaps accepted by
C{_tlsConnection.send}.
@ivar _connectWrapped: A flag indicating whether or not to call
C{makeConnection} on the wrapped protocol. This is for the reactor's
L{twisted.internet.interfaces.ITLSTransport.startTLS} implementation,
since it has a protocol which it has already called C{makeConnection}
on, and which has no interest in a new transport. See #3821.
@ivar _handshakeDone: A flag indicating whether or not the handshake is
known to have completed successfully (C{True}) or not (C{False}). This
is used to control error reporting behavior. If the handshake has not
completed, the underlying L{OpenSSL.SSL.Error} will be passed to the
application's C{connectionLost} method. If it has completed, any
unexpected L{OpenSSL.SSL.Error} will be turned into a
L{ConnectionLost}. This is weird; however, it is simply an attempt at
a faithful re-implementation of the behavior provided by
L{twisted.internet.ssl}.
@ivar _reason: If an unexpected L{OpenSSL.SSL.Error} occurs which causes
the connection to be lost, it is saved here. If appropriate, this may
be used as the reason passed to the application protocol's
C{connectionLost} method.
@ivar _producer: The current producer registered via C{registerProducer},
or C{None} if no producer has been registered or a previous one was
unregistered.
"""
_reason = None
_handshakeDone = False
_lostTLSConnection = False
_writeBlockedOnRead = False
_producer = None
def __init__(self, factory, wrappedProtocol, _connectWrapped=True):
ProtocolWrapper.__init__(self, factory, wrappedProtocol)
self._connectWrapped = _connectWrapped
def getHandle(self):
"""
Return the L{OpenSSL.SSL.Connection} object being used to encrypt and
decrypt this connection.
This is done for the benefit of L{twisted.internet.ssl.Certificate}'s
C{peerFromTransport} and C{hostFromTransport} methods only. A
different system handle may be returned by future versions of this
method.
"""
return self._tlsConnection
def makeConnection(self, transport):
"""
Connect this wrapper to the given transport and initialize the
necessary L{OpenSSL.SSL.Connection} with a memory BIO.
"""
tlsContext = self.factory._contextFactory.getContext()
self._tlsConnection = Connection(tlsContext, None)
if self.factory._isClient:
self._tlsConnection.set_connect_state()
else:
self._tlsConnection.set_accept_state()
self._appSendBuffer = []
# Add interfaces provided by the transport we are wrapping:
for interface in providedBy(transport):
directlyProvides(self, interface)
# Intentionally skip ProtocolWrapper.makeConnection - it might call
# wrappedProtocol.makeConnection, which we want to make conditional.
Protocol.makeConnection(self, transport)
self.factory.registerProtocol(self)
if self._connectWrapped:
# Now that the TLS layer is initialized, notify the application of
# the connection.
ProtocolWrapper.makeConnection(self, transport)
# Now that we ourselves have a transport (initialized by the
# ProtocolWrapper.makeConnection call above), kick off the TLS
# handshake.
try:
self._tlsConnection.do_handshake()
except WantReadError:
# This is the expected case - there's no data in the connection's
# input buffer yet, so it won't be able to complete the whole
# handshake now. If this is the speak-first side of the
# connection, then some bytes will be in the send buffer now; flush
# them.
self._flushSendBIO()
def _flushSendBIO(self):
"""
Read any bytes out of the send BIO and write them to the underlying
transport.
"""
try:
bytes = self._tlsConnection.bio_read(2**15)
except WantReadError:
# There may be nothing in the send BIO right now.
pass
else:
self.transport.write(bytes)
def _flushReceiveBIO(self):
"""
Try to receive any application-level bytes which are now available
because of a previous write into the receive BIO. This will take
care of delivering any application-level bytes which are received to
the protocol, as well as handling of the various exceptions which
can come from trying to get such bytes.
"""
# Keep trying this until an error indicates we should stop or we
# close the connection. Looping is necessary to make sure we
# process all of the data which was put into the receive BIO, as
# there is no guarantee that a single recv call will do it all.
while not self._lostTLSConnection:
try:
bytes = self._tlsConnection.recv(2**15)
except WantReadError:
# The newly received bytes might not have been enough to produce
# any application data.
break
except ZeroReturnError:
# TLS has shut down and no more TLS data will be received over
# this connection.
self._shutdownTLS()
# Passing in None means the user protocol's connnectionLost
# will get called with reason from underlying transport:
self._tlsShutdownFinished(None)
except Error as e:
# Something went pretty wrong. For example, this might be a
# handshake failure (because there were no shared ciphers, because
# a certificate failed to verify, etc). TLS can no longer proceed.
# Squash EOF in violation of protocol into ConnectionLost; we
# create Failure before calling _flushSendBio so that no new
# exception will get thrown in the interim.
if e.args[0] == -1 and e.args[1] == 'Unexpected EOF':
failure = Failure(CONNECTION_LOST)
else:
failure = Failure()
self._flushSendBIO()
self._tlsShutdownFinished(failure)
else:
# If we got application bytes, the handshake must be done by
# now. Keep track of this to control error reporting later.
self._handshakeDone = True
ProtocolWrapper.dataReceived(self, bytes)
# The received bytes might have generated a response which needs to be
# sent now. For example, the handshake involves several round-trip
# exchanges without ever producing application-bytes.
self._flushSendBIO()
def dataReceived(self, bytes):
"""
Deliver any received bytes to the receive BIO and then read and deliver
to the application any application-level data which becomes available
as a result of this.
"""
self._tlsConnection.bio_write(bytes)
if self._writeBlockedOnRead:
# A read just happened, so we might not be blocked anymore. Try to
# flush all the pending application bytes.
self._writeBlockedOnRead = False
appSendBuffer = self._appSendBuffer
self._appSendBuffer = []
for bytes in appSendBuffer:
self._write(bytes)
if (not self._writeBlockedOnRead and self.disconnecting
and self.producer is None):
self._shutdownTLS()
if self._producer is not None:
self._producer.resumeProducing()
self._flushReceiveBIO()
def _shutdownTLS(self):
"""
Initiate, or reply to, the shutdown handshake of the TLS layer.
"""
shutdownSuccess = self._tlsConnection.shutdown()
self._flushSendBIO()
if shutdownSuccess:
# Both sides have shutdown, so we can start closing lower-level
# transport. This will also happen if we haven't started
# negotiation at all yet, in which case shutdown succeeds
# immediately.
self.transport.loseConnection()
def _tlsShutdownFinished(self, reason):
"""
Called when TLS connection has gone away; tell underlying transport to
disconnect.
"""
self._reason = reason
self._lostTLSConnection = True
# Using loseConnection causes the application protocol's
# connectionLost method to be invoked non-reentrantly, which is always
# a nice feature. However, for error cases (reason != None) we might
# want to use abortConnection when it becomes available. The
# loseConnection call is basically tested by test_handshakeFailure.
# At least one side will need to do it or the test never finishes.
self.transport.loseConnection()
def connectionLost(self, reason):
"""
Handle the possible repetition of calls to this method (due to either
the underlying transport going away or due to an error at the TLS
layer) and make sure the base implementation only gets invoked once.
"""
if not self._lostTLSConnection:
# Tell the TLS connection that it's not going to get any more data
# and give it a chance to finish reading.
self._tlsConnection.bio_shutdown()
self._flushReceiveBIO()
self._lostTLSConnection = True
reason = self._reason or reason
self._reason = None
ProtocolWrapper.connectionLost(self, reason)
def loseConnection(self):
"""
Send a TLS close alert and close the underlying connection.
"""
if self.disconnecting:
return
self.disconnecting = True
if not self._writeBlockedOnRead and self._producer is None:
self._shutdownTLS()
def write(self, bytes):
"""
Process the given application bytes and send any resulting TLS traffic
which arrives in the send BIO.
If C{loseConnection} was called, subsequent calls to C{write} will
drop the bytes on the floor.
"""
if isinstance(bytes, unicode):
raise TypeError(
"Must write bytes to a TLS transport, not unicode.")
# Writes after loseConnection are not supported, unless a producer has
# been registered, in which case writes can happen until the producer
# is unregistered:
if self.disconnecting and self._producer is None:
return
self._write(bytes)
def _write(self, bytes):
"""
Process the given application bytes and send any resulting TLS traffic
which arrives in the send BIO.
This may be called by C{dataReceived} with bytes that were buffered
before C{loseConnection} was called, which is why this function
doesn't check for disconnection but accepts the bytes regardless.
"""
if self._lostTLSConnection:
return
leftToSend = bytes
while leftToSend:
try:
sent = self._tlsConnection.send(leftToSend)
except WantReadError:
self._writeBlockedOnRead = True
self._appSendBuffer.append(leftToSend)
if self._producer is not None:
self._producer.pauseProducing()
break
except Error:
# Pretend TLS connection disconnected, which will trigger
# disconnect of underlying transport. The error will be passed
# to the application protocol's connectionLost method. The
# other SSL implementation doesn't, but losing helpful
# debugging information is a bad idea.
self._tlsShutdownFinished(Failure())
break
else:
# If we sent some bytes, the handshake must be done. Keep
# track of this to control error reporting behavior.
self._handshakeDone = True
self._flushSendBIO()
leftToSend = leftToSend[sent:]
def writeSequence(self, iovec):
"""
Write a sequence of application bytes by joining them into one string
and passing them to L{write}.
"""
iovec = [x.encode('latin-1') for x in iovec]
self.write(b"".join(iovec))
def getPeerCertificate(self):
return self._tlsConnection.get_peer_certificate()
def registerProducer(self, producer, streaming):
# If we've already disconnected, nothing to do here:
if self._lostTLSConnection:
producer.stopProducing()
return
# If we received a non-streaming producer, wrap it so it becomes a
# streaming producer:
if not streaming:
producer = streamingProducer = _PullToPush(producer, self)
producer = _ProducerMembrane(producer)
# This will raise an exception if a producer is already registered:
self.transport.registerProducer(producer, True)
self._producer = producer
# If we received a non-streaming producer, we need to start the
# streaming wrapper:
if not streaming:
streamingProducer.startStreaming()
def unregisterProducer(self):
# If we received a non-streaming producer, we need to stop the
# streaming wrapper:
if isinstance(self._producer._producer, _PullToPush):
self._producer._producer.stopStreaming()
self._producer = None
self._producerPaused = False
self.transport.unregisterProducer()
if self.disconnecting and not self._writeBlockedOnRead:
self._shutdownTLS()
class TLSMemoryBIOProtocol(ProtocolWrapper):
"""
L{TLSMemoryBIOProtocol} is a protocol wrapper which uses OpenSSL via a
memory BIO to encrypt bytes written to it before sending them on to the
underlying transport and decrypts bytes received from the underlying
transport before delivering them to the wrapped protocol.
In addition to producer events from the underlying transport, the need to
wait for reads before a write can proceed means the
L{TLSMemoryBIOProtocol} may also want to pause a producer. Pause/resume
events are therefore merged using the L{_ProducerMembrane}
wrapper. Non-streaming (pull) producers are supported by wrapping them
with L{_PullToPush}.
@ivar _tlsConnection: The L{OpenSSL.SSL.Connection} instance which is
encrypted and decrypting this connection.
@ivar _lostTLSConnection: A flag indicating whether connection loss has
already been dealt with (C{True}) or not (C{False}). TLS disconnection
is distinct from the underlying connection being lost.
@ivar _writeBlockedOnRead: A flag indicating whether further writing must
wait for data to be received (C{True}) or not (C{False}).
@ivar _appSendBuffer: A C{list} of C{str} of application-level (cleartext)
data which is waiting for C{_writeBlockedOnRead} to be reset to
C{False} so it can be passed to and perhaps accepted by
C{_tlsConnection.send}.
@ivar _connectWrapped: A flag indicating whether or not to call
C{makeConnection} on the wrapped protocol. This is for the reactor's
L{twisted.internet.interfaces.ITLSTransport.startTLS} implementation,
since it has a protocol which it has already called C{makeConnection}
on, and which has no interest in a new transport. See #3821.
@ivar _handshakeDone: A flag indicating whether or not the handshake is
known to have completed successfully (C{True}) or not (C{False}). This
is used to control error reporting behavior. If the handshake has not
completed, the underlying L{OpenSSL.SSL.Error} will be passed to the
application's C{connectionLost} method. If it has completed, any
unexpected L{OpenSSL.SSL.Error} will be turned into a
L{ConnectionLost}. This is weird; however, it is simply an attempt at
a faithful re-implementation of the behavior provided by
L{twisted.internet.ssl}.
@ivar _reason: If an unexpected L{OpenSSL.SSL.Error} occurs which causes
the connection to be lost, it is saved here. If appropriate, this may
be used as the reason passed to the application protocol's
C{connectionLost} method.
@ivar _producer: The current producer registered via C{registerProducer},
or C{None} if no producer has been registered or a previous one was
unregistered.
"""
_reason = None
_handshakeDone = False
_lostTLSConnection = False
_writeBlockedOnRead = False
_producer = None
def __init__(self, factory, wrappedProtocol, _connectWrapped=True):
ProtocolWrapper.__init__(self, factory, wrappedProtocol)
self._connectWrapped = _connectWrapped
def getHandle(self):
"""
Return the L{OpenSSL.SSL.Connection} object being used to encrypt and
decrypt this connection.
This is done for the benefit of L{twisted.internet.ssl.Certificate}'s
C{peerFromTransport} and C{hostFromTransport} methods only. A
different system handle may be returned by future versions of this
method.
"""
return self._tlsConnection
def makeConnection(self, transport):
"""
Connect this wrapper to the given transport and initialize the
necessary L{OpenSSL.SSL.Connection} with a memory BIO.
"""
tlsContext = self.factory._contextFactory.getContext()
self._tlsConnection = Connection(tlsContext, None)
if self.factory._isClient:
self._tlsConnection.set_connect_state()
else:
self._tlsConnection.set_accept_state()
self._appSendBuffer = []
# Add interfaces provided by the transport we are wrapping:
for interface in providedBy(transport):
directlyProvides(self, interface)
# Intentionally skip ProtocolWrapper.makeConnection - it might call
# wrappedProtocol.makeConnection, which we want to make conditional.
Protocol.makeConnection(self, transport)
self.factory.registerProtocol(self)
if self._connectWrapped:
# Now that the TLS layer is initialized, notify the application of
# the connection.
ProtocolWrapper.makeConnection(self, transport)
# Now that we ourselves have a transport (initialized by the
# ProtocolWrapper.makeConnection call above), kick off the TLS
# handshake.
try:
self._tlsConnection.do_handshake()
except WantReadError:
# This is the expected case - there's no data in the connection's
# input buffer yet, so it won't be able to complete the whole
# handshake now. If this is the speak-first side of the
# connection, then some bytes will be in the send buffer now; flush
# them.
self._flushSendBIO()
def _flushSendBIO(self):
"""
Read any bytes out of the send BIO and write them to the underlying
transport.
"""
try:
bytes = self._tlsConnection.bio_read(2 ** 15)
except WantReadError:
# There may be nothing in the send BIO right now.
pass
else:
self.transport.write(bytes)
def _flushReceiveBIO(self):
"""
Try to receive any application-level bytes which are now available
because of a previous write into the receive BIO. This will take
care of delivering any application-level bytes which are received to
the protocol, as well as handling of the various exceptions which
can come from trying to get such bytes.
"""
# Keep trying this until an error indicates we should stop or we
# close the connection. Looping is necessary to make sure we
# process all of the data which was put into the receive BIO, as
# there is no guarantee that a single recv call will do it all.
while not self._lostTLSConnection:
try:
bytes = self._tlsConnection.recv(2 ** 15)
except WantReadError:
# The newly received bytes might not have been enough to produce
# any application data.
break
except ZeroReturnError:
# TLS has shut down and no more TLS data will be received over
# this connection.
self._shutdownTLS()
# Passing in None means the user protocol's connnectionLost
# will get called with reason from underlying transport:
self._tlsShutdownFinished(None)
except Error as e:
# Something went pretty wrong. For example, this might be a
# handshake failure (because there were no shared ciphers, because
# a certificate failed to verify, etc). TLS can no longer proceed.
# Squash EOF in violation of protocol into ConnectionLost; we
# create Failure before calling _flushSendBio so that no new
# exception will get thrown in the interim.
if e.args[0] == -1 and e.args[1] == 'Unexpected EOF':
failure = Failure(CONNECTION_LOST)
else:
failure = Failure()
self._flushSendBIO()
self._tlsShutdownFinished(failure)
else:
# If we got application bytes, the handshake must be done by
# now. Keep track of this to control error reporting later.
self._handshakeDone = True
ProtocolWrapper.dataReceived(self, bytes)
# The received bytes might have generated a response which needs to be
# sent now. For example, the handshake involves several round-trip
# exchanges without ever producing application-bytes.
self._flushSendBIO()
def dataReceived(self, bytes):
"""
Deliver any received bytes to the receive BIO and then read and deliver
to the application any application-level data which becomes available
as a result of this.
"""
self._tlsConnection.bio_write(bytes)
if self._writeBlockedOnRead:
# A read just happened, so we might not be blocked anymore. Try to
# flush all the pending application bytes.
self._writeBlockedOnRead = False
appSendBuffer = self._appSendBuffer
self._appSendBuffer = []
for bytes in appSendBuffer:
self._write(bytes)
if (not self._writeBlockedOnRead and self.disconnecting and
self.producer is None):
self._shutdownTLS()
if self._producer is not None:
self._producer.resumeProducing()
self._flushReceiveBIO()
def _shutdownTLS(self):
"""
Initiate, or reply to, the shutdown handshake of the TLS layer.
"""
shutdownSuccess = self._tlsConnection.shutdown()
self._flushSendBIO()
if shutdownSuccess:
# Both sides have shutdown, so we can start closing lower-level
# transport. This will also happen if we haven't started
# negotiation at all yet, in which case shutdown succeeds
# immediately.
self.transport.loseConnection()
def _tlsShutdownFinished(self, reason):
"""
Called when TLS connection has gone away; tell underlying transport to
disconnect.
"""
self._reason = reason
self._lostTLSConnection = True
# Using loseConnection causes the application protocol's
# connectionLost method to be invoked non-reentrantly, which is always
# a nice feature. However, for error cases (reason != None) we might
# want to use abortConnection when it becomes available. The
# loseConnection call is basically tested by test_handshakeFailure.
# At least one side will need to do it or the test never finishes.
self.transport.loseConnection()
def connectionLost(self, reason):
"""
Handle the possible repetition of calls to this method (due to either
the underlying transport going away or due to an error at the TLS
layer) and make sure the base implementation only gets invoked once.
"""
if not self._lostTLSConnection:
# Tell the TLS connection that it's not going to get any more data
# and give it a chance to finish reading.
self._tlsConnection.bio_shutdown()
self._flushReceiveBIO()
self._lostTLSConnection = True
reason = self._reason or reason
self._reason = None
ProtocolWrapper.connectionLost(self, reason)
def loseConnection(self):
"""
Send a TLS close alert and close the underlying connection.
"""
if self.disconnecting:
return
self.disconnecting = True
if not self._writeBlockedOnRead and self._producer is None:
self._shutdownTLS()
def write(self, bytes):
"""
Process the given application bytes and send any resulting TLS traffic
which arrives in the send BIO.
If C{loseConnection} was called, subsequent calls to C{write} will
drop the bytes on the floor.
"""
if isinstance(bytes, unicode):
raise TypeError("Must write bytes to a TLS transport, not unicode.")
# Writes after loseConnection are not supported, unless a producer has
# been registered, in which case writes can happen until the producer
# is unregistered:
if self.disconnecting and self._producer is None:
return
self._write(bytes)
def _write(self, bytes):
"""
Process the given application bytes and send any resulting TLS traffic
which arrives in the send BIO.
This may be called by C{dataReceived} with bytes that were buffered
before C{loseConnection} was called, which is why this function
doesn't check for disconnection but accepts the bytes regardless.
"""
if self._lostTLSConnection:
return
leftToSend = bytes
while leftToSend:
try:
sent = self._tlsConnection.send(leftToSend)
except WantReadError:
self._writeBlockedOnRead = True
self._appSendBuffer.append(leftToSend)
if self._producer is not None:
self._producer.pauseProducing()
break
except Error:
# Pretend TLS connection disconnected, which will trigger
# disconnect of underlying transport. The error will be passed
# to the application protocol's connectionLost method. The
# other SSL implementation doesn't, but losing helpful
# debugging information is a bad idea.
self._tlsShutdownFinished(Failure())
break
else:
# If we sent some bytes, the handshake must be done. Keep
# track of this to control error reporting behavior.
self._handshakeDone = True
self._flushSendBIO()
leftToSend = leftToSend[sent:]
def writeSequence(self, iovec):
"""
Write a sequence of application bytes by joining them into one string
and passing them to L{write}.
"""
self.write(b"".join(iovec))
def getPeerCertificate(self):
return self._tlsConnection.get_peer_certificate()
def registerProducer(self, producer, streaming):
# If we've already disconnected, nothing to do here:
if self._lostTLSConnection:
producer.stopProducing()
return
# If we received a non-streaming producer, wrap it so it becomes a
# streaming producer:
if not streaming:
producer = streamingProducer = _PullToPush(producer, self)
producer = _ProducerMembrane(producer)
# This will raise an exception if a producer is already registered:
self.transport.registerProducer(producer, True)
self._producer = producer
# If we received a non-streaming producer, we need to start the
# streaming wrapper:
if not streaming:
streamingProducer.startStreaming()
def unregisterProducer(self):
# If we received a non-streaming producer, we need to stop the
# streaming wrapper:
if isinstance(self._producer._producer, _PullToPush):
self._producer._producer.stopStreaming()
self._producer = None
self._producerPaused = False
self.transport.unregisterProducer()
if self.disconnecting and not self._writeBlockedOnRead:
self._shutdownTLS()
print '\nChecking DNS for CAA records . . .\n'
answers = dns.resolver.query(domain, 'CAA')
print 'The following records were found:\n'
for rdata in answers:
print domain, 'in CAA', rdata.flags, rdata.value
print '\nNow checking certificate . . . \n'
print 'Using server name:', host, 'on port', port, 'for SNI ...'
client = socket()
stdout.flush()
client.connect(('{0}'.format(host), int(port)))
print 'Connected to', client.getpeername(), '\n'
client_ssl = Connection(Context(TLSv1_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(host)
client_ssl.do_handshake()
issuer = client_ssl.get_peer_certificate().get_issuer()
issr = str(issuer)
issr = issr.strip('<>')
issr = issr.replace('X509Name object', 'Certificate Information: ')
issr = issr.replace('C=', 'Country: ')
issr = issr.replace('O=', 'Organization: ')
issr = issr.replace('CN=', 'Common Name: ')
issr = issr.split('/')
for issr in issr:
print issr
print '\n'
client_ssl.close()
exit()
def do_POST(self):
content_len = int(self.headers.get('Content-Length', 0))
post_body = self.rfile.read(content_len)
try:
json_body = json.loads(post_body)
request_type = 'GET'
if 'type' in json_body:
request_type = json_body['type']
if 'url' not in json_body or (request_type == 'POST'
and 'content' not in json_body):
self.send_result(200, prepare_output('invalid json'))
request_url = json_body['url']
request_headers = json_body[
'headers'] if 'headers' in json_body else dict()
request_content = json_body[
'content'] if request_type == 'POST' else None
request_timeout = json_body[
'timeout'] if 'timeout' in json_body else 1
request_headers = {
k.lower(): v
for k, v in request_headers.items()
}
if 'content-type' not in request_headers:
request_headers['content-type'] = 'text/plain'
new_request = request.Request(
url=request_url,
data=bytes(request_content, 'UTF-8')
if request_content else None,
headers=request_headers,
method=request_type)
# TU ZACINA GRCKA SORRY.
# cert_raw = ssl.get_server_certificate(('google.com', 443))
# cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_raw)
# print(dict(cert.get_subject().get_components()))
certificate_common_names = None
certificate_is_valid = None
if request_url.startswith('https://'):
client = None
try:
client = socket.socket()
# print('Connecting...')
client.connect(
(parse.urlparse(request_url).netloc, 443))
client_ssl = Connection(Context(TLSv1_2_METHOD),
client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(
parse.urlparse(request_url).netloc.encode('UTF-8'))
client_ssl.do_handshake()
# print('Server subject is', dict(client_ssl.get_peer_certificate().get_subject().get_components()))
certificate_common_names = get_certificate_san(
client_ssl.get_peer_certificate())
except:
pass
finally:
if client:
client.close()
try:
with request.urlopen(
new_request,
timeout=request_timeout) as response:
certificate_is_valid = True
except:
certificate_is_valid = False
# TU KONCI GRCKA.
try:
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
with request.urlopen(new_request,
timeout=request_timeout,
context=ctx) as response:
res_content = response.read().decode('UTF-8')
output = prepare_output(response.status,
response.getheaders(),
res_content,
certificate_is_valid,
certificate_common_names)
self.send_result(200, output)
except HTTPError as err:
self.send_result(200, prepare_output(err.code, None, None))
except:
return self.send_result(
200, prepare_output('timeout', None, None))
except ValueError:
# import traceback
# traceback.print_exc()
self.send_result(200, prepare_output('invalid json'))
def do_GET(self):
get_params = parse.urlparse(self.path).query
get_url = input_target_url
if get_params:
get_url = '%s?%s' % (get_url, get_params)
new_headers = dict(self.headers)
if 'Host' in new_headers:
del new_headers['Host']
new_request = request.Request(url=get_url,
data=None,
headers=new_headers,
method='GET')
# TU ZACINA GRCKA SORRY.
certificate_common_names = None
certificate_is_valid = None
if get_url.startswith('https://'):
client = None
try:
client = socket.socket()
# print('Connecting...')
client.connect((parse.urlparse(get_url).netloc, 443))
client_ssl = Connection(Context(TLSv1_2_METHOD), client)
client_ssl.set_connect_state()
client_ssl.set_tlsext_host_name(
parse.urlparse(get_url).netloc.encode('UTF-8'))
client_ssl.do_handshake()
# print('Server subject is', dict(client_ssl.get_peer_certificate().get_subject().get_components()))
certificate_common_names = get_certificate_san(
client_ssl.get_peer_certificate())
except:
pass
finally:
if client:
client.close()
try:
with request.urlopen(new_request, timeout=1) as response:
certificate_is_valid = True
except:
certificate_is_valid = False
# TU KONCI GRCKA.
try:
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
with request.urlopen(new_request, timeout=1,
context=ctx) as response:
res_content = response.read().decode('UTF-8')
output = prepare_output(response.status,
response.getheaders(), res_content,
certificate_is_valid,
certificate_common_names)
self.send_result(200, output)
except HTTPError as err:
self.send_result(200, prepare_output(err.code, None, None))
except:
return self.send_result(200,
prepare_output('timeout', None, None))
from OpenSSL.SSL import Connection, Context, SSLv3_METHOD, TLSv1_2_METHOD
host = 'www.baidu.com'
try:
ssl_connection_setting = Context(SSLv3_METHOD)
except ValueError:
ssl_connection_setting = Context(TLSv1_2_METHOD)
ssl_connection_setting.set_timeout(30)
s = socket()
s.connect((host, 443))
c = Connection(ssl_connection_setting, s)
c.set_connect_state()
c.do_handshake()
cert = c.get_peer_certificate()
print "Issuer: ", cert.get_issuer()
print "Subject: ", cert.get_subject().get_components()
subject_list = cert.get_subject().get_components()
print "Common Name:", dict(subject_list).get("CN")
print "notAfter(UTC time): ", cert.get_notAfter()
UTC_FORMAT = "%Y%m%d%H%M%SZ"
utc_to_local_offset = datetime.datetime.fromtimestamp(time.time()) - datetime.datetime.utcfromtimestamp(time.time())
utc_time = time.mktime(time.strptime(cert.get_notAfter(), UTC_FORMAT))
local_time = utc_time + utc_to_local_offset.seconds
print "notAfter(Local Time): ", datetime.datetime.fromtimestamp(local_time)
print "is_expired:", cert.has_expired()
c.shutdown()
s.close()
print " \n\n Unable to complet the SSL Handshake %s" % msg
exit(1)
pass
#--- Get the remote host name
rhost = soc.getpeername()
log(("\nRemote Host name :" + host), sink)
log(("\nRemote Host IPv4 :" + rhost[0]), sink)
log(("\nRemote Host Port :" + str(rhost[1])), sink)
#--- Get and Analyse Server Certificate
cert = soc_ssl.get_peer_certificate()
cipher = soc_ssl.get_cipher_name()
log(("\nCipher Suite used : " + cipher), sink)
#--- Get Subject Info
subject_comps = cert.get_subject().get_components()
subject_name = cert.get_subject().commonName
if (not subject_name):
subject_name = get_x509_val(subject_comps, "O")
log("\nSubject Name = " + subject_name, sink)
except OpenSSL.SSL.Error, msg:
print " \n\n Unable to complet the SSL Handshake %s" % msg
exit(1)
pass
#--- Get the remote host name
rhost = soc.getpeername()
log(("\nRemote Host name :" + host), sink)
log(("\nRemote Host IPv4 :" + rhost[0]), sink)
log(("\nRemote Host Port :" + str(rhost[1])), sink)
#--- Get and Analyse Server Certificate
cert = soc_ssl.get_peer_certificate()
cipher = soc_ssl.get_cipher_name()
log(("\nCipher Suite used : " + cipher), sink)
#--- Get Subject Info
subject_comps = cert.get_subject().get_components()
subject_name = cert.get_subject().commonName
if (not subject_name):
subject_name = get_x509_val(subject_comps, "O")
log("\nSubject Name = " + subject_name, sink)
subject_email = cert.get_subject().emailAddress
try:
proxy.connect((host,port))
except socket_error:
proxy.close()
exit("[-] problem connecting to "+str(host)+":"+str(port))
ssl = SSL_Connection(ctx,proxy)
ssl.setblocking(True)
try:
ssl.set_connect_state()
ssl.do_handshake()
except:
exit(1)
digest = ssl.get_peer_certificate().digest('sha1')
proxy.close()
checkcert = digest.replace(":","").lower()+".certs.googlednstest.com"
try:
response = query(checkcert,'TXT')
except:
exit(0)
if not response:
print "No response from the DNS for this cert"
exit(0)
ans = str(response[0]).replace("\"","").split(" ")
print asctime(localtime(int(ans[0])*24*3600))
print asctime(localtime(int(ans[1])*24*3600))
try:
proxy.connect((host, port))
except socket_error:
proxy.close()
exit("[-] problem connecting to " + str(host) + ":" + str(port))
ssl = SSL_Connection(ctx, proxy)
ssl.setblocking(True)
try:
ssl.set_connect_state()
ssl.do_handshake()
except:
exit(1)
digest = ssl.get_peer_certificate().digest("sha1")
proxy.close()
checkcert = digest.replace(":", "").lower() + ".certs.googlednstest.com"
try:
response = query(checkcert, "TXT")
except:
exit(0)
if not response:
print "No response from the DNS for this cert"
exit(0)
ans = str(response[0]).replace('"', "").split(" ")
print asctime(localtime(int(ans[0]) * 24 * 3600))
print asctime(localtime(int(ans[1]) * 24 * 3600))
